commit 1741db9d7e4ccf05aba769c1d36e7ecb6688459f
author Micha Kraus <kraus.micha@gmail.com> Sat Dec 23 23:40:08 2017 +0100
committer Gilles Peskine <Gilles.Peskine@arm.com> Wed Jan 17 23:58:14 2018 +0100
tree 5cf1b2d7cef3a24f9840dbfec505a59f61b8e0d4
parent 5273182a20e14e24707dbd3009d53fcb18eadb84

fix bug in get_one_and_zeros_padding()

add test case (“0000000082”) which fails with the old implementation.

library/cipher.c

diff --git a/library/cipher.c b/library/cipher.c
index 1523b07..b0e0d87 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -485,14 +485,14 @@
     if( NULL == input || NULL == data_len )
         return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
 
-    bad = 0xFF;
+    bad = 0x80;
     *data_len = 0;
     for( i = input_len; i > 0; i-- )
     {
         prev_done = done;
-        done |= ( input[i-1] != 0 );
+        done |= ( input[i - 1] != 0 );
         *data_len |= ( i - 1 ) * ( done != prev_done );
-        bad &= ( input[i-1] ^ 0x80 ) | ( done == prev_done );
+        bad ^= input[i - 1] * ( done != prev_done );
     }
 
     return( MBEDTLS_ERR_CIPHER_INVALID_PADDING * ( bad != 0 ) );

tests/suites/test_suite_cipher.padding.data

diff --git a/tests/suites/test_suite_cipher.padding.data b/tests/suites/test_suite_cipher.padding.data
index d6fc266..1c0ba09 100644
--- a/tests/suites/test_suite_cipher.padding.data
+++ b/tests/suites/test_suite_cipher.padding.data
@@ -184,6 +184,10 @@
 depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
 check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000000":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4
 
+Check one and zeros padding #8 (last byte 0x80 | x)
+depends_on:MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
+check_padding:MBEDTLS_PADDING_ONE_AND_ZEROS:"0000000082":MBEDTLS_ERR_CIPHER_INVALID_PADDING:4
+
 Check zeros and len padding #1 (correct)
 depends_on:MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
 check_padding:MBEDTLS_PADDING_ZEROS_AND_LEN:"DABBAD0001":0:4